commit 57a232ec491c32eb6cad4ee9002e0b0d60c07a2b
parent 37c11070e34f93ff8ac2ebaa6a8cc2d4d35f7110
Author: sin <sin@2f30.org>
Date: Tue, 1 Mar 2016 16:25:21 +0000
Add initial version of OpenBSD gateway tutorial
Diffstat:
3 files changed, 311 insertions(+), 1 deletion(-)
diff --git a/Makefile b/Makefile
@@ -18,7 +18,8 @@ PAGES = $(MENUPAGES) \
guides/netbsd-linode.html \
guides/rpi-tv.html \
guides/irix-sgi-o2.html \
- guides/openbsd-httpd-cgit.html
+ guides/openbsd-httpd-cgit.html \
+ guides/openbsd-gateway.html
EXTRA = css divzerokey.png favicon.ico index.html \
lectures/resources
diff --git a/guides.md b/guides.md
@@ -11,3 +11,4 @@ Just some notes on various useful tasks.
* [rpi-tv](guides/rpi-tv.html): Raspberry Pi console media center with TV remote on Arch Linux
* [irix-sgi-o2](guides/irix-sgi-o2.html): Installing IRIX 6.5 to an SGI O2 from the network
* [openbsd-httpd-cgit](guides/openbsd-httpd-cgit.html): Configuring httpd, slowcgi and cgit on OpenBSD
+ * [openbsd-gateway](guides/openbsd-gateway.html): Setting up a home gateway with OpenBSD + other goodies
diff --git a/guides/openbsd-gateway.md b/guides/openbsd-gateway.md
@@ -0,0 +1,308 @@
+### Setting up a home gateway with OpenBSD + other goodies
+
+If you have a spare box with two or more NICs, you can turn it into a powerful OpenBSD router.
+In this tutorial, I will walk you through my gateway configuration.
+
+**Remember! Do not blindly copy paste the configuration files!**
+
+### Available hardware and network layout
+
+My router is a [Shuttle XH81V](http://www.shuttle.eu/products/slim/xh81v/). It has two Realtek
+NICs.
+
+I have a single physical subnet, 10.0.0.0/24.
+
+Because of lack of additional NICs or a [VLAN](https://en.wikipedia.org/wiki/Virtual_LAN) capable switch,
+there is no [DMZ](https://en.wikipedia.org/wiki/DMZ_%28computing%29).
+To avoid exposing many services to the outside, I typically use ssh tunneling or a VPN
+to access the services on the inside.
+
+I have a dedicated server hosted in a DC. I use [tinc](http://www.tinc-vpn.org/) in a bridged mode
+configuration to make the server appear on my main subnet. This way, I can access the server transparently even on
+machines on my local network that I cannot install tinc to.
+
+For IPv6, I use a [Hurricane Electric](https://tunnelbroker.net/) tunnel. Their service has proven reliable
+with virtually no downtime experienced in the past year.
+
+### Topics covered
+
+The following topics will be discussed:
+
+* Firewall, routing and NAT configuration
+* DHCP server configuration
+* Split horizon DNS
+* PXE booting
+* Configuring an IPv6 gif(4) tunnel with Hurricane Electric
+* NetFlow sensor and collector configuration
+* Debugging tips
+
+### Firewall, routing and NAT configuration
+
+There is an excellent [tutorial](http://www.openbsd.org/faq/pf/example1.html) in the pf FAQ.
+Fore more information, check the [pf.conf(5)](http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man5/pf.conf.5),
+[hostname.if(5)](http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man5/hostname.if.5) and
+[ifconfig(8)](http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man8/ifconfig.8) manpages.
+
+#### /etc/pf.conf
+
+ int_if = "re1"
+ sshbox = "10.0.0.2"
+ martians = "{ 0.0.0.0/8 10.0.0.0/8 100.64.0.0/10 127.0.0.0/8 \
+ 169.254.0.0/16 172.16.0.0/12 192.0.0.0/24 192.0.2.0/24 \
+ 192.168.0.0/16 198.18.0.0/15 198.51.100.0/24 203.0.113.0/24 \
+ 224.0.0.0/4 240.0.0.0/4 255.255.255.255/32 }"
+
+ set loginterface egress
+ set skip on lo0
+ set block-policy return
+
+ match in all scrub (no-df random-id)
+
+ match out on egress inet from !(egress:network) to any nat-to (egress:0)
+
+ block drop in quick on egress from { no-route urpf-failed $martians }
+ block return out quick on egress to $martians
+ block
+
+ pass in on $int_if
+ pass in on egress inet proto icmp to (egress)
+ pass in on egress inet proto tcp to (egress) port ssh rdr-to $sshbox
+ pass out
+
+#### /etc/sysctl.conf
+
+ net.inet.ip.forwarding=1
+
+#### /etc/hostname.re0
+
+ description "WAN"
+ dhcp
+
+#### /etc/hostname.re1
+
+ description "LAN"
+ inet 10.0.0.1 255.255.255.0 10.0.0.255
+ up
+
+Reboot the router.
+
+### DHCP server configuration
+
+I use [2f30.org](http://2f30.org) as the default search domain. I have a [split horizon DNS](https://en.wikipedia.org/wiki/Split-horizon_DNS)
+configuration so I can access my machines from my local network as well as from the outside.
+
+#### /etc/dhcpd.conf
+
+ option domain-name "2f30.org";
+ option domain-name-servers 10.0.0.1;
+
+ subnet 10.0.0.0 netmask 255.255.255.0 {
+ option routers 10.0.0.1;
+ range 10.0.0.32 10.0.0.127;
+
+ host sshbox {
+ hardware ethernet aa:bb:cc:dd:ee:ff;
+ fixed-address 10.0.0.2;
+ }
+ }
+
+Update /etc/rc.conf.local:
+
+ dhcpd_flags="re1"
+
+Restart dhcpd:
+
+ /etc/rc.d/dhcpd restart
+
+### Split horizon DNS
+
+I am using unbound(8) as a caching DNS resolver.
+
+#### /var/unbound/etc/unbound.conf
+
+ server:
+ interface: 10.0.0.1
+ access-control: 10.0.0.0/24 allow
+
+ local-data: "gw.2f30.org. IN A 10.0.0.1"
+ local-data-ptr: "10.0.0.1 gw.2f30.org."
+
+ local-data: "sshbox.2f30.org. IN A 10.0.0.2"
+ local-data-ptr: "10.0.0.2 sshbox.2f30.org."
+
+ forward-zone:
+ name: "."
+ forward-addr: 208.67.222.222
+ forward-addr: 208.67.220.220
+
+Update /etc/rc.conf.local:
+
+ unbound_flags=
+
+Restart unbound:
+
+ /etc/rc.d/unbound restart
+
+At this point, you should be able to plug a machine to your switch, get an IP address
+and browse the web.
+
+You should also be able to access $sshbox from the outside over ssh on the default port.
+In my configuration this is a separate machine but could just as well be the router itself.
+
+### PXE booting
+
+I use PXE booting on my laptop to upgrade OpenBSD. I run a tftp server on my router
+to serve the latest bsd.rd.
+
+#### Setting up tftpd and dhcpd for PXE booting
+
+Prepare /tftpboot:
+
+ mkdir /tftpboot
+ cp /usr/mdec/pxeboot /tftpboot
+
+Update /etc/dhcpd.conf:
+
+ subnet 10.0.0.0 netmask 255.255.255.0 {
+ filename "pxeboot";
+ next-server 10.0.0.1;
+ ...
+ }
+
+Update /etc/rc.conf.local:
+
+ tftpd_flags="-l 10.0.0.1 /tftpboot"
+
+Restart dhcpd and tftpd:
+
+ /etc/rc.d/tftpd restart
+ /etc/rc.d/dhcpd restart
+
+#### Cron job to fetch latest bsd.rd
+
+Use crontab -e as root to add a new job as follows:
+
+ 15 10 * * * /usr/bin/ftp -o /tftpboot/bsd.rd ftp://ftp.openbsd.org/pub/OpenBSD/snapshots/amd64/bsd.rd 1>/dev/null
+
+It will download bsd.rd once a day at 10:15 in the morning.
+
+To test, plug your laptop to the switch and choose to boot over the network. Once you get to the OpenBSD
+boot prompt, type /bsd.rd and hit return.
+
+### Configuring an IPv6 gif(4) tunnel with Hurricane Electric
+
+First of all, you will have to create an account on their [website](https://tunnelbroker.net). From there,
+follow their guide to set up a tunnel. You will basically have to choose the tunnel endpoint. Find the one
+with the minimum latency.
+
+#### /etc/sysctl.conf
+
+net.inet6.ip6.forwarding=1
+
+#### /etc/hostname.gif0
+
+ description "Hurricane Electric 6in4 link"
+ tunnel <your-ipv4-endpoint> <their-ipv4-endpoint>
+ mtu 1480
+ !ifconfig gif0 inet6 alias 2001:XXXX:XXXX:XXXX::2 2001:XXXX:XXXX:XXXX::1 prefixlen 128
+ !route -n add -inet6 default 2001:XXXX:XXXX:XXXX::1
+
+#### /etc/hostname.re1
+
+ inet6 alias 2001:XXXX:XXXX:XXXX::1 64
+
+This will add an IPv6 alias on your router's internal interface.
+
+#### /etc/pf.conf
+
+ pass in on egress inet proto 41 from <their-ipv4-endpoint> to (egress)
+ pass in on gif0 inet6
+
+#### /etc/rtadvd.conf
+
+ re1:\
+ :addrs#1:addr="2001:XXXX:XXXX:XXXX::":prefixlen#64:
+
+Update /etc/rc.conf.local:
+
+ rtadvd_flags="re1"
+
+Reboot your router.
+
+On your OpenBSD client, enable autoconfiguration:
+
+ ifconfig em0 inet6 autoconf
+
+### NetFlow sensor and collector configuration
+
+I use [NetFlow](https://en.wikipedia.org/wiki/NetFlow) to get an idea of what kind of traffic passes through my gateway.
+
+To configure a netflow sensor on the gateway:
+
+#### /etc/pf.conf
+
+ set state-defaults pflow
+
+#### /etc/hostname.pflow0
+flowsrc 10.0.0.1 flowdst 10.0.0.2:5555
+
+Activate sensor:
+
+ pfctl -f /etc/pf.conf
+ sh /etc/netstart pflow0
+
+On the receiver, in this case the box with address 10.0.0.2 we'll install [flowd](http://www.mindrot.org/files/flowd/README). It is a secure and minimal
+netflow collector written by Damien Miller.
+
+First, install flowd from ports.
+
+#### /etc/flowd.conf
+
+ logfile "/var/log/flowd"
+ listen on 10.0.0.2:5555
+ flow source 10.0.0.1
+ store ALL
+
+Restart flowd:
+
+ /etc/rc.d/flowd restart
+
+Give it a moment and use flowd-reader(8) on the specified logfile to examine the flows.
+
+### Debugging tips
+
+One of the advantages of using OpenBSD as opposed to a standard consumer grade router is that
+you have all the needed tools at your disposal for debugging your network. The following manpages
+should be of interest.
+
+* [tcpdump(8)](http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man8/tcpdump.8)
+* [systat(4)](http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man1/systat.1)
+* [dig(1)](http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man1/dig.1)
+* [arp(8)](http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man8/arp.8)
+* [ndp(8)](http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man8/ndp.8)
+* [route(8)](http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man8/route.8)
+* [netstat(1)](http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man1/netstat.1)
+* [pflogd(8)](http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man8/pflogd.8)
+* [pflow(4)](http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man4/pflow.4)
+
+Keep your configuration as simple as possible. Do not randomly poke on sysctl knobs you do not
+understand. Rely on the defaults unless you have a good reason not to.
+
+If you have made extensive changes on a running system, do a final reboot to make sure everything
+comes back up as expected.
+
+Consider having a second machine connected over serial to your router. This way you can capture a trace
+if the router crashes. It can also be used as an out-of-band mechanism to configure your router without
+hooking up a monitor and a keyboard.
+
+### Reading material
+
+I've found the following references highly informative and useful.
+
+* [OpenBSD FAQ](http://www.openbsd.org/faq/)
+* [TCP/IP Illustrated: Volume 1](http://www.amazon.co.uk/TCP-Illustrated-Protocols-Addison-Wesley-Professional/dp/0321336313/ref=sr_1_1?s=books&ie=UTF8&qid=1453299772&sr=1-1&keywords=tcp%2Fip+illustrated)
+* [Unix Network Programming](http://www.amazon.co.uk/Unix-Network-Programming-Addison-Wesley-Professional/dp/0131411551/ref=sr_1_1?s=books&ie=UTF8&qid=1453299853&sr=1-1&keywords=unix+network+programming)
+* [Book of PF](https://www.nostarch.com/pf3)
+* [IPv6 for IPv4 Experts](https://sites.google.com/site/yartikhiy/home/ipv6book)
+* [IPv6 Core Protocols Implementation](http://www.amazon.co.uk/Protocols-Implementation-Morgan-Kaufmann-Networking-x/dp/0124477518)
+* [TCP/IP guide](http://www.tcpipguide.com/)
